Lucene search

GitLabVULNRICHMENT:CVE-2024-8754

HistorySep 12, 2024 - 5:02 p.m.

CVE-2024-8754 External Control of Critical State Data in GitLab

2024-09-1217:02:00

CWE-642

GitLab

github.com

cve-2024-8754

gitlab

improper input validation

accounts

provider identities

squatting

jwt authentication

CVSS3

6.4

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N

AI Score

6.9

Confidence

Low

EPSS

0.001

Percentile

30.8%

SSVC

Exploitation

none

Automatable

Technical Impact

total

JSON

An issue has been discovered in GitLab EE/CE affecting all versions from 16.9.7 prior to 17.1.7, 17.2 prior to 17.2.5, and 17.3 prior to 17.3.2. An improper input validation error allows attacker to squat on accounts via linking arbitrary unclaimed provider identities when JWT authentication is configured.

References

gitlab.com/gitlab-org/gitlab/-/issues/464062

CVSS3

6.4

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N

AI Score

6.9

Confidence

Low

EPSS

0.001

Percentile

30.8%

SSVC

Exploitation

none

Automatable

Technical Impact

total

JSON

Related for VULNRICHMENT:CVE-2024-8754